Microservices Expo Authors: TJ Randall, Liz McMillan, Elizabeth White, Pat Romanski, AppDynamics Blog

Related Topics: Microservices Expo

Microservices Expo: Article

Secure Web Services

Secure Web Services

Businesses need to provide their users with a method for securely connecting to their networks while minimizing the costs associated with providing this service - and also providing end users with as much convenience as possible.

As businesses embrace Web services as the method for delivering their applications, they are struggling with security issues. Network World recently reported that the top worry for IT executives deploying Web services is security. SSL (Secure Sockets Layer) can provide a viable alternative to Virtual Private Networking (VPN) companies for securing Web services.

Remote Access
Originally, remote end users connected to their corporate networks using dial-up modem services over POTS (plain old telephone service). This essentially provided businesses with a private connection to an end user, albeit temporary in nature. The primary security concern was one of authentication of the end user - guaranteeing that the business was letting the right people access the network through its modem pool.

As the Internet became ubiquitous, businesses longed for a way to eliminate the long-distance charges generated by their dial-up remote access services. End users were dialing into their ISPs locally to access the Internet with no long distance charges - why not just let them access the corporate network via the Internet? The simple answer was security. VPN companies came to the rescue.

VPNs typically put specialized software on the client machines as well as a machine acting as the gateway to the corporate network. These pieces collaborate to encrypt traffic between the end points, guarantee the identity of the remote users accessing the corporate network, and guarantee that end users connect to the right place. Businesses can enjoy the savings of eliminating long-distance charges while maintaining the security of a private connection.

There is, however, a downside. The specialized software that has to go on the client machine costs both time and money. The client software itself must be purchased and installed on every client machine that will be enabled to access the corporate network. Anyone who's been involved in these rollouts knows that words like "incompatible," "conflicting programs," and "pilot error" make the cost of deploying this crucial service much higher than simply the price of the software at the end points - especially when dealing with thousands of remote users.

The Internet, of course, was (and is) growing by leaps and bounds. But consumers at large were wary of sending their credit card information over the Internet and being defrauded. SSL was popularized as a method to eliminate this concern. As long as the little lock or key icon popped up in the end user's browser, he or she felt more at ease and willing to conduct transactions over the Internet.

Originally, SSL delivered two basic functions:

  • It allowed the browser to be certain that the site being connected to was genuinely the one requested (by using a form of authentication).
  • It secured the data that was in transit between a browser and a Web server by using encryption.
SSL allows end users to guarantee the identity of the server to which they're connecting. Certificate authority (CA) companies such as VeriSign sell certificates that are installed on the SSL server. The CA acts as an objective third party that forces the business requesting the certificate to prove its identity prior to being granted a certificate. End users or browsers can verify that the SSL server to which they're connecting has a valid certificate issued by a CA and actually belongs to the business to which they're attempting to connect using SSL. Finally, certificates are the mechanism used to associate a unique key used for encryption with a particular SSL server.

The browser and server exchange keys in order to be able to negotiate an encrypted session. SSL then encrypts data while it's flowing between the end user and the SSL server to secure the traffic while it's in transit.

These functions have been crucial to the success of online business. Without them, end users wouldn't have the peace of mind needed to share information required for completing business transactions over the Internet.

So Why Not Just Use SSL Instead of VPNs?
Every system that's used to connect to the Internet has the client software installed, by default, as SSL into every browser. End users are familiar with it. SSL is a widely adopted standard. There's no cost for the client software. There are no integration issues on either the client or corporate network side. So what's missing?

The majority of the SSL benefits discussed have been end user-centric. In order for SSL to be successfully used as a viable alternative to VPNs, another element is necessary - essentially, a method to control which clients are allowed access to the corporate network. The SSL-based solution must be able to guarantee the identity of the end user attempting to access the corporate network and decide whether he or she is allowed access. This can be accomplished using client certificates. The company can simply act as its own CA and have end users download certificates. This allows coverage of the basic security tenets: "who you are" (typically a user ID), "what you have" (in this case a valid company-issued SSL certificate), and "what you know" (a password).

This method allows the company to guarantee that only end users with valid certificates are able to access the network. The authentication must occur at a gateway point prior to the remote user's actually gaining access to the network. The key is having a gateway solution that allows a business to enforce these policies easily. With that in place, we have the security issues addressed - encrypted traffic between the end points, guaranteed identity of the remote users accessing the corporate network, and a guarantee that end users are connecting to the right place - all without the cost or administration problems associated with VPN solutions.

While the SSL solution works perfectly to secure Web services or Web-enabled applications and address the concerns expressed by IT executives, VPN technologies provide a few things that SSL can't - dictating that the technologies coexist. VPNs provide a solution for applications that aren't Web enabled, such as client/server-based applications, print services, and general file sharing. While SSL can certainly address downloading files through a browser, there isn't a solid solution for the other two applications at this time.

Businesses now have the opportunity to supply an SSL-based solution to the 80% of their user population that likely uses only 20% of the applications available (VPN services will continue to be required for the other 20% of the population). This shift will result in tremendous savings for businesses in terms of both time and money through:

  • Elimination of costs associated with specialized client software
  • Reduced help desk calls
  • Lowered demands on IT
  • Increased ease of use for remote users
Not exactly "adios VPNs, hello SSL." But as businesses embrace Web services through such efforts as Microsoft's .NET strategy (and J2EE-based platforms for Web services) and the Web enabling of most major business applications available now or within the near future, IT executives will be able to say "adios" to VPNs for a greater percentage of their end users and enjoy the bottom-line benefits as a result.


  • Fontana, John. (2002). "Top Web services worry: Security." www.nwfusion.com/news/2002/0121webservices.html?docid=7747
  • More Stories By Jeff Browning

    As Product Manager for F5 Networks, Jeff is responsible for driving the product and marketing strategy for F5's iControl API and Software Development Kit. With over 10 years of software industry experience, Jeff's extensive background in Web services, Enterprise Portals, and Software Development tools at leading companies like Microsoft and DataChannel helps bridge the gap between networking technologies and Web services applications for better performing, scalable, and secure enterprise solutions

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    Microservices Articles
    At its core DevOps is all about collaboration. The lines of communication must be opened and it takes some effort to ensure that they stay that way. It’s easy to pay lip service to trends and talk about implementing new methodologies, but without action, real benefits cannot be realized. Success requires planning, advocates empowered to effect change, and, of course, the right tooling. To bring about a cultural shift it’s important to share challenges. In simple terms, ensuring that everyone k...
    Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
    Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
    Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
    With the rise of Docker, Kubernetes, and other container technologies, the growth of microservices has skyrocketed among dev teams looking to innovate on a faster release cycle. This has enabled teams to finally realize their DevOps goals to ship and iterate quickly in a continuous delivery model. Why containers are growing in popularity is no surprise — they’re extremely easy to spin up or down, but come with an unforeseen issue. However, without the right foresight, DevOps and IT teams may lo...
    Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments. In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, will discuss how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galer...
    DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
    In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....
    "There is a huge interest in Kubernetes. People are now starting to use Kubernetes and implement it," stated Sebastian Scheele, co-founder of Loodse, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
    Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...